The discussion of any work, publications, sales, or activity anywhere in this submission, including in any documents submitted with this application, shall not be taken as an admission that any such work constitutes prior art. The discussion of any activity, work, or publication herein is not an admission that such activity, work, or publication existed or was known in any particular jurisdiction.
In the history of conflict, providing deceptive information to adversaries has been a cornerstone of successful offense and defense. Information protection has included such examples of deception for defense as honey pots to gain insight on attacker behavior, lightning rods to draw fire, and program evolution as a technique for defending against automated attacks on operating systems. Long before computers existed, information protection through deception was widely demonstrated, however this history also demonstrates that deception is used far more by attackers than defenders.
Protecting information systems from various forms of attack has long been of concern to practitioners in the field. Some forms of protection are built into operating systems, such as user and/or password authentication. Other forms of protection include various software and sometimes hardware strategies. A very commonly used form of protection is anti-virus software. Inventor Fred Cohen, as early as 1988, proposed and implemented an integrity shell, which was a program that run in an operating system kernel space and used a modified execution system call to verify a check sum over every program before executing that program. Such a modified system call allowed the system to protect against viruses that hid within executable components, because the presence of such viruses would change the checksum of those executable components. Further information about this work is available at http://all(.)net/books/integ/vmodels.html.
It is believed to be generally known to modify parts of an operating system, including parts of kernel system calls, for various reasons. In some cases, modified system calls will preserve original system calls in order to remove modifications or in order to run original system calls after the modified portion is run. For example, such techniques are discussed in “The Linux Kernel Module Programming Guide” by Ori Pomerantz, believed available 1999-05-19. (see www(.)tldp(.)org/LDP/lkmpg/node20.html.)
Various strategies used in computer systems have at times included providing some type of misinformation. Some logic modules, for example, are designed to hide themselves from various operating system functions, such as process viewing functions, and thus can cause functions to provide a list of processes and/or files and/or users, for example, that are not complete. One use of such a strategy is mentioned in the context of a program referred to as the Kernel Intrusion System. This program is described as a kernel level rootkit that, among other things, makes modifications to the kernel to get some privileges, and hides itself from system administrators. Further information is available at www(.)packetstormsecurity(.)org/UNIX/penetration/rootkits/kis-0.9.tar.gz.
Inventor Fred Cohen has previously proposed using deceptions in the context of networked computers to direct attackers, for example, away from a protected system and into emulation systems or other systems in a network. Such work is discussed in, inter alia, U.S. utility patent application Ser. No. 09/696,893 claiming priority from Ser. No. 60/165,581 and U.S. provisional patent application 60/380,824.
Though limited modifications of operating systems and limited misinformation has been previously known in information systems, generalizable and/or modifiable techniques for providing deception and/or other altered behavior at an operating system level are not available.